Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-12-2020 01:52
Static task
static1
Behavioral task
behavioral1
Sample
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
Resource
win10v20201028
General
-
Target
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe
-
Size
214KB
-
MD5
b130cfd3d346bd719bd1e38f051768d2
-
SHA1
de29701a3f0d6c24a6e10717e35379ed702db868
-
SHA256
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a
-
SHA512
33811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kevin.2021@yandex.com
maarten.2021@yandex.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
smss.exesmss.exepid process 2636 smss.exe 584 smss.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2628 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smss.exedescription ioc process File opened (read-only) \??\T: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\F: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\R: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 23888 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\doc_offline_getconnected.xml smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms smss.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\Print.scale-140.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_32x32x32.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.png smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties smss.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.123-666-694 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.123-666-694 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-LTR.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gw_16x11.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml.123-666-694 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.123-666-694 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.123-666-694 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar smss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.123-666-694 smss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-200_contrast-white.png smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main.css.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.123-666-694 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.surprise.scale-200.png smss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-100.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css.123-666-694 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell-2x.png.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.123-666-694 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sx_60x42.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms smss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.123-666-694 smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Lightning bolt_icon.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8201_40x40x32.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css smss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-125.png smss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\io_16x11.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png.123-666-694 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.123-666-694 smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties smss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar smss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-200.png smss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js smss.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1364 vssadmin.exe 2456 vssadmin.exe -
Processes:
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe -
Suspicious behavior: EnumeratesProcesses 7854 IoCs
Processes:
smss.exepid process 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe 2636 smss.exe -
Suspicious use of AdjustPrivilegeToken 89 IoCs
Processes:
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe Token: SeDebugPrivilege 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe Token: SeIncreaseQuotaPrivilege 2552 WMIC.exe Token: SeSecurityPrivilege 2552 WMIC.exe Token: SeTakeOwnershipPrivilege 2552 WMIC.exe Token: SeLoadDriverPrivilege 2552 WMIC.exe Token: SeSystemProfilePrivilege 2552 WMIC.exe Token: SeSystemtimePrivilege 2552 WMIC.exe Token: SeProfSingleProcessPrivilege 2552 WMIC.exe Token: SeIncBasePriorityPrivilege 2552 WMIC.exe Token: SeCreatePagefilePrivilege 2552 WMIC.exe Token: SeBackupPrivilege 2552 WMIC.exe Token: SeRestorePrivilege 2552 WMIC.exe Token: SeShutdownPrivilege 2552 WMIC.exe Token: SeDebugPrivilege 2552 WMIC.exe Token: SeSystemEnvironmentPrivilege 2552 WMIC.exe Token: SeRemoteShutdownPrivilege 2552 WMIC.exe Token: SeUndockPrivilege 2552 WMIC.exe Token: SeManageVolumePrivilege 2552 WMIC.exe Token: 33 2552 WMIC.exe Token: 34 2552 WMIC.exe Token: 35 2552 WMIC.exe Token: 36 2552 WMIC.exe Token: SeIncreaseQuotaPrivilege 448 WMIC.exe Token: SeSecurityPrivilege 448 WMIC.exe Token: SeTakeOwnershipPrivilege 448 WMIC.exe Token: SeLoadDriverPrivilege 448 WMIC.exe Token: SeSystemProfilePrivilege 448 WMIC.exe Token: SeSystemtimePrivilege 448 WMIC.exe Token: SeProfSingleProcessPrivilege 448 WMIC.exe Token: SeIncBasePriorityPrivilege 448 WMIC.exe Token: SeCreatePagefilePrivilege 448 WMIC.exe Token: SeBackupPrivilege 448 WMIC.exe Token: SeRestorePrivilege 448 WMIC.exe Token: SeShutdownPrivilege 448 WMIC.exe Token: SeDebugPrivilege 448 WMIC.exe Token: SeSystemEnvironmentPrivilege 448 WMIC.exe Token: SeRemoteShutdownPrivilege 448 WMIC.exe Token: SeUndockPrivilege 448 WMIC.exe Token: SeManageVolumePrivilege 448 WMIC.exe Token: 33 448 WMIC.exe Token: 34 448 WMIC.exe Token: 35 448 WMIC.exe Token: 36 448 WMIC.exe Token: SeBackupPrivilege 2164 vssvc.exe Token: SeRestorePrivilege 2164 vssvc.exe Token: SeAuditPrivilege 2164 vssvc.exe Token: SeIncreaseQuotaPrivilege 2552 WMIC.exe Token: SeSecurityPrivilege 2552 WMIC.exe Token: SeTakeOwnershipPrivilege 2552 WMIC.exe Token: SeLoadDriverPrivilege 2552 WMIC.exe Token: SeSystemProfilePrivilege 2552 WMIC.exe Token: SeSystemtimePrivilege 2552 WMIC.exe Token: SeProfSingleProcessPrivilege 2552 WMIC.exe Token: SeIncBasePriorityPrivilege 2552 WMIC.exe Token: SeCreatePagefilePrivilege 2552 WMIC.exe Token: SeBackupPrivilege 2552 WMIC.exe Token: SeRestorePrivilege 2552 WMIC.exe Token: SeShutdownPrivilege 2552 WMIC.exe Token: SeDebugPrivilege 2552 WMIC.exe Token: SeSystemEnvironmentPrivilege 2552 WMIC.exe Token: SeRemoteShutdownPrivilege 2552 WMIC.exe Token: SeUndockPrivilege 2552 WMIC.exe Token: SeManageVolumePrivilege 2552 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exesmss.execmd.execmd.execmd.exedescription pid process target process PID 1156 wrote to memory of 2636 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe smss.exe PID 1156 wrote to memory of 2636 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe smss.exe PID 1156 wrote to memory of 2636 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe smss.exe PID 1156 wrote to memory of 2628 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe notepad.exe PID 1156 wrote to memory of 2628 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe notepad.exe PID 1156 wrote to memory of 2628 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe notepad.exe PID 1156 wrote to memory of 2628 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe notepad.exe PID 1156 wrote to memory of 2628 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe notepad.exe PID 1156 wrote to memory of 2628 1156 4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe notepad.exe PID 2636 wrote to memory of 3176 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3176 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3176 2636 smss.exe cmd.exe PID 2636 wrote to memory of 2460 2636 smss.exe cmd.exe PID 2636 wrote to memory of 2460 2636 smss.exe cmd.exe PID 2636 wrote to memory of 2460 2636 smss.exe cmd.exe PID 2636 wrote to memory of 4084 2636 smss.exe cmd.exe PID 2636 wrote to memory of 4084 2636 smss.exe cmd.exe PID 2636 wrote to memory of 4084 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3948 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3948 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3948 2636 smss.exe cmd.exe PID 2636 wrote to memory of 528 2636 smss.exe cmd.exe PID 2636 wrote to memory of 528 2636 smss.exe cmd.exe PID 2636 wrote to memory of 528 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3204 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3204 2636 smss.exe cmd.exe PID 2636 wrote to memory of 3204 2636 smss.exe cmd.exe PID 2636 wrote to memory of 584 2636 smss.exe smss.exe PID 2636 wrote to memory of 584 2636 smss.exe smss.exe PID 2636 wrote to memory of 584 2636 smss.exe smss.exe PID 528 wrote to memory of 2456 528 cmd.exe vssadmin.exe PID 528 wrote to memory of 2456 528 cmd.exe vssadmin.exe PID 528 wrote to memory of 2456 528 cmd.exe vssadmin.exe PID 3176 wrote to memory of 2552 3176 cmd.exe WMIC.exe PID 3176 wrote to memory of 2552 3176 cmd.exe WMIC.exe PID 3176 wrote to memory of 2552 3176 cmd.exe WMIC.exe PID 3204 wrote to memory of 448 3204 cmd.exe WMIC.exe PID 3204 wrote to memory of 448 3204 cmd.exe WMIC.exe PID 3204 wrote to memory of 448 3204 cmd.exe WMIC.exe PID 3204 wrote to memory of 1364 3204 cmd.exe vssadmin.exe PID 3204 wrote to memory of 1364 3204 cmd.exe vssadmin.exe PID 3204 wrote to memory of 1364 3204 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe"C:\Users\Admin\AppData\Local\Temp\4355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
61466c45ced4d83183fdb25396d4031c
SHA128a0f84a224cfddee721d7aa7cc5b54176358108
SHA2561c3119bf6b52b905a989b256f6d40bf6d0150eb5485f5c416362a439e620e4f9
SHA512152535df0af05a287d4435e702c9fc86195e61296e825b9bd67311054524bbeeb898aa4b23393c5af5d4f5fa2471fbe56b3d85964036d22b5ba751c8b3423e9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
21ef137d48d04fc9be98c2674223aa7d
SHA12c596c1c53112a535400e16fe124987aa665055c
SHA256d265ed9b6513b4a1bc4b7b26f3f59b1ed4d0cf1aeb37bc0d38ec91b4658cc0e0
SHA512f95cf62b52edf668adf1779d07bde1c68c29b848ec713270111b3fa2bc01edbdbbc5cfc958229c6e92567f4196285e935a2f922bbdcac80f9103ba15e832491a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
9d7369bfa72ae89d1d752ba17df6c22e
SHA1ec6dad338b059d7bffbf47f84cf3c638226a0d82
SHA2568ba91b47832e7c92ce4aec0255ae6511d12f7f92201d8d1db21d37f81a190030
SHA5123cc58981fdaffa95022fbf13d7b0535ef0d1700fffda235a46902f9b9d9ac83458d8444aedae99b8392ee62d0151eea5f67d991bf538aa0919fcd5b6f7ae41f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
5470a980209672478f1536cb99456607
SHA1899436319a8a3337f5bdf75bb46d240f2bc81c0c
SHA2563f3b750ae83fdae6056705b81f1251ba30617e1e73d5478a627a66f3dc9bc7c5
SHA512a8c34a459128657cec2f00402048f9ba9bd9d3575931a7312b09005310c0c1cf214ac55c6cc5d11bd846033b6bc5b62a43f068673f977c393872a904c6ebed65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
489925b75edf65bff01cf1257804443f
SHA16813f05404c3170c11ddc5ff20f01b38db0f78a7
SHA256a60e61b0fffac84b5bf44a433a26c41ca46b99c8d984461a2a2fd2f4b18f139c
SHA5126a3c2d8228f7ac54390913664588c95c5e7af5caea48e66e1daeec9d8d9cc8c96e704fbad66f48d08efe776f44f02b3fc8815011ee367364d437f8da6e2a00cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
b21a6041b59598bd241e5c1b3078110f
SHA142335ee6430ac70fc8ac5a7c40214206050d7d44
SHA256115966b9525b5cbf8632b51f53bffe3440ebf65104232917c14ff55779bd10e9
SHA512a68c97302e5154c87251e2e7bb8eb54d07b2f95121494e5e0647fa71cd300cd655d73179c21bc71091987e586f47b753d3d9b1f7cf7ab623a9a1a2147c09f664
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\RON2FB61.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\9KG7416N.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
b130cfd3d346bd719bd1e38f051768d2
SHA1de29701a3f0d6c24a6e10717e35379ed702db868
SHA2564355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a
SHA51233811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
b130cfd3d346bd719bd1e38f051768d2
SHA1de29701a3f0d6c24a6e10717e35379ed702db868
SHA2564355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a
SHA51233811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
b130cfd3d346bd719bd1e38f051768d2
SHA1de29701a3f0d6c24a6e10717e35379ed702db868
SHA2564355077d9e650cde600c29caf7fc7128ebb1f42331f130bbfe0e66265c67022a
SHA51233811ddb6ff9715e337bcbb0923b23cdc0e8ee8dca1cb7d85a175e5d40e7deb3c23fbe0010b829b8289de86268440e6806ee5df06447c8102707c84e8389222e
-
memory/448-26-0x0000000000000000-mapping.dmp
-
memory/528-19-0x0000000000000000-mapping.dmp
-
memory/584-21-0x0000000000000000-mapping.dmp
-
memory/1364-27-0x0000000000000000-mapping.dmp
-
memory/2456-23-0x0000000000000000-mapping.dmp
-
memory/2460-16-0x0000000000000000-mapping.dmp
-
memory/2552-24-0x0000000000000000-mapping.dmp
-
memory/2628-5-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/2628-6-0x0000000000000000-mapping.dmp
-
memory/2636-2-0x0000000000000000-mapping.dmp
-
memory/3176-15-0x0000000000000000-mapping.dmp
-
memory/3204-20-0x0000000000000000-mapping.dmp
-
memory/3948-18-0x0000000000000000-mapping.dmp
-
memory/4084-17-0x0000000000000000-mapping.dmp